2018-2019 Annual Report to Parliament on the Administration of the Privacy Act

Foreword

Each fiscal year, the head of every government institution prepares and submits an annual report to Parliament on the administration of the Privacy Act.

This report is tabled in Parliament in accordance with section 72 of the Privacy Act under the direction of the Minister of National Revenue and the Commissioner of the Canada Revenue Agency (CRA). It describes how the CRA administered and fulfilled its obligations under the Privacy Act between April 1, 2018, and March 31, 2019. The report also discusses emerging trends, program delivery and areas of focus for the year ahead.

The Privacy Act

The Privacy Act came into force on July 1, 1983. It protects the privacy of individuals by outlining strong requirements for collecting, retaining, using, disclosing and disposing of personal information held by government institutions. It provides individuals (or their authorized representatives) with a right of access to their own personal information, with limited and specific exceptions, and with a right of correction and or annotation. Individuals who are not satisfied with an institution’s handling of their personal information or any matter related to a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada. 

The Privacy Act’s formal processes do not replace other ways of obtaining federal government information. The CRA encourages individuals and their representatives to consider requesting information through the CRA’s website at canada.ca/en/revenue-agency.html or through the CRA’s 1-800 lines.

Overview of the Canada Revenue Agency

The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories and other government bodies (at their request and on a cost-recovery basis) to administer non‑harmonized taxes and other services. Overall, the CRA promotes compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.

The Minister of National Revenue is accountable to Parliament for all of the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Canada Revenue Agency Act provides for the establishment of a Board of Management consisting of 15 Directors appointed by the Governor in Council. They include the Chair, the Commissioner and Chief Executive Officer; a director nominated by each province; 1 director nominated by the territories; and 2 directors nominated by the Government of Canada. Under the provisions of the Canada Revenue Agency Act, the Board of Management oversees the organization and administration of the CRA, including the management of its resources, services, property, personnel and contracts. In fulfilling this role, the Board of Management brings a forward-looking strategic perspective to the CRA’s administration, fosters sound management practices and is committed to efficient and effective service delivery.

As the CRA’s Chief Executive Officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister’s delegated authority. The Commissioner is accountable to the Board of Management for managing the CRA, supervising employees and implementing policies and budgets. Moreover, the Commissioner must assist and advise the Minister with respect to legislated authorities, duties, functions and Cabinet responsibilities.

The CRA is made up of 13 functional branches and 5 regional offices across the country.

Branches

  • Appeals
  • Assessment, Benefit and Service
  • Audit, Evaluation and Risk
  • Collections and Verification
  • Domestic Compliance Programs
  • Finance and Administration
  • Human Resources
  • Information Technology
  • International, Large Business and Investigations
  • Legal Services
  • Legislative Policy and Regulatory Affairs
  • Public Affairs
  • Service, Innovation and Integration

Regions

  • Atlantic
  • Ontario
  • Prairie
  • Quebec
  • Pacific

Chief Privacy Officer

The Assistant Commissioner, Public Affairs Branch, is the CRA’s Chief Privacy Officer. The Chief Privacy Officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, the Chief Privacy Officer: 

  • oversees decisions related to privacy, including privacy impact assessments
  • champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
  • reports to the CRA’s senior management on the state of privacy management at the CRA at least twice a year
The CRA's Chief Privacy Officer is a member of the Conference Board of Canada Council for Chief Privacy Officers.

Access to Information and Privacy Directorate

The Access to Information and Privacy Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the directorate:

  • responds to requests and enquiries under the Access to Information Act and the Privacy Act
  • responds to consultations and complaints
  • responds to and promotes informal disclosure requests
  • provides advice and guidance to CRA employees on the proper management and protection of personal information under the CRA’s control
  • co-ordinates the privacy impact assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and options for avoiding or reducing risks
  • gives training and awareness sessions on access to information and privacy
  • communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints and audits
  • fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to Parliament on the administration of the Access to Information Act and the Privacy Act

The Director of the Access to Information and Privacy Directorate has the full delegated authority of the Minister of National Revenue under the Access to Information Act and the Privacy Act. The Director also manages and co-ordinates the access to information and privacy program, leads strategic planning and development initiatives, and supports the Assistant Commissioner, Public Affairs Branch and Chief Privacy Officer with the privacy governance function.

The directorate is made up of 2 main divisions: processing, and program support and training. In addition to the directorate’s headquarters office in Ottawa, there is an office in Vancouver and an office in Montréal. In fiscal year
2018–2019, an equivalent of 133 full-time employees administered the Access to Information Act and the Privacy Act.

The following chart shows the structure of the Access to Information and Privacy Directorate.

Image described below
Image description

First row Director, Access to Information and Privacy (ATIP) Directorate

Middle row, first box Assistant Director, ATIP Processing, Corporate and Complex Case Division

Middle row, second box Assistant Director, ATIP Processing, Strategic Compliance Division

The two areas of responsibility of the Assistant Director, ATIP Processing, Strategic Compliance Division are listed in the two boxes below. They are: Tax Compliance Section and Operations / Training Manuals Section.

Middle row, third box Assistant Director, ATIP Processing, Legislative and HQ Operational Case Division

The two areas of responsibility of the Assistant Director, ATIP Processing, Legislative and HQ Operational Case Division are listed in the two boxes below. They are: Legislative Case Section and HQ Operations Section

Middle row, fourth box Assistant Director, ATIP Processing, Regional Operations Case Division – Vancouver

Middle row, fifth box Assistant Director, ATIP Processing, Regional Operations Case Division – Montréal

Middle row, sixth box Assistant Director, Program Support and Training Division

The two areas of responsibility of the Assistant Director, Program Support and Training Division are listed in the two boxes below. They are: Governance and Corporate Reporting Section and Business Processes Section


Access to Information and Privacy Oversight Review Committee

The Access to Information and Privacy Oversight Review Committee is an Assistant‑Commissioner‑level committee chaired by the Chief Privacy Officer. The committee was established to ensure horizontal consultation, collaboration and decision‑making on emerging access to information and privacy issues at the CRA.

Among other responsibilities, the committee reviews and approves the development, implementation and streamlining of key policies and processes related to access to information and privacy at the CRA.  

Delegation of responsibilities under the Privacy Act

As head of the CRA, the Minister of National Revenue is responsible for how the CRA administers and complies with the Privacy Act, Privacy Regulations and related Treasury Board of Canada Secretariat policy instruments. Section 73 of the Privacy Act gives the Minister the authority to designate 1 or more officers or employees of the CRA to exercise or perform all or part of the Minister’s powers, duties and functions under the Act.

The CRA’s current delegation order for the Privacy Act was signed by the Minister of National Revenue on
January 14, 2016. It identifies specific provisions of the Privacy Act and its regulations that the Minister has delegated to various positions within the CRA.

The access to information and privacy Director and Assistant Directors, as well as the Managers of the processing units, approve responses to requests under the Privacy Act. Delegations are also extended to the Commissioner, the Deputy Commissioner, the Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer. 

Image described below
Image description

Privacy Act

Delegation Order

I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to section 73 of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.

This designation replaces all previous delegation orders.

Diane Lebouthillier
Minister of National Revenue

Signed in Ottawa, Ontario, Canada this 14th day of January, 2016

Schedule: Privacy Act

The CRA positions that are authorized to perform the powers, duties and functions given to the Minister of National Revenue as head of a government institution under the provisions of the Privacy Act and its regulations are the following:
Commissioner

  • Full authority

Deputy Commissioner

  • Full authority

Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer

  • Full authority

Director, Access to Information and Privacy Directorate, Public Affairs Branch

  • Full authority

Assistant Directors, Access to Information and Privacy Directorate, Public Affairs Branch

  • Full authority with the exception of paragraphs 8(2)(j) and (m) and subsection 8(5)

Managers, Access to Information and Privacy Directorate, Public Affairs Branch

  • Subsection 9(1); sections 14 and 15; paragraphs 17(2)(b) and 17(3)(b); subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2),
    35(1) and 35(4) of the Privacy Act; and section 9 of the Privacy Regulations.

Operational environment

As the chief administrator of federal, provincial and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Government of Canada. In addition, the CRA collects and manages the personal information for its workforce of over 40,000 individuals. Canadians trust the CRA with their personal information and the CRA takes the protection of that information very seriously. During the reporting period, in collaboration with a consulting firm, a full review of the CRA’s privacy management program took place. The recommendations resulting from the review will be implemented in fiscal year 2019–2020. For more details, see the Enhancement of the privacy management program section in this report.

The number of formal requests has increased exponentially in recent years. As a result, the inventory of requests received under the Privacy Act is at an unmanageable level. In fact, the CRA’s Access to Information and Privacy Directorate processes among the largest volume of privacy requests and pages of all federal institutions. According to the most recent Treasury Board of Canada Secretariat statistics, in fiscal year 2017–2018 the CRA processed the second largest volume of pages (over 900,000) of all federal institutions and received the seventh largest number of requests. This trend likely continued in 2018–2019, because the CRA received and completed more requests than at any point in history, with 4,789 requests received and 4,599 requests completed, requiring the review of just under 900,000 pages.

Beyond responding to this unprecedented volume of requests, most of the same resources that process these requests also process the requests received under the Access to Information Act and are responsible for other workloads including responding to consultations and complaints.

Due to this increasing demand on the access to information and privacy program, an access to information and privacy workload management plan, known as ATIP Way Forward, was developed during the reporting period and will be implemented in 2019–2020. For more details, see the ATIP Way Forward section in this report.

The following table shows the trend of requests received under the Privacy Act over the past 5 years.

Image described below
Image description

Privacy Act requests trend

In 2014-2015, 2,533 requests were received, 2,313 were completed, 636,207 pages were processed

In 2015-2016, 3,048 requests were received, 2,723 were completed, 476,832 pages were processed

In 2016-2017, 3,174 requests were received, 3,400 were completed, 1,086,917 pages were processed

In 2017-2018, 3,791 requests were received, 3,821 were completed, 920,251 pages were processed

In 2018-2019, 4,789 requests were received, 4,599 were completed, 896,837 pages were processed

ATIP Way Forward, a workload management plan

In 2016–2017, an access to information and privacy inventory reduction plan was developed to address high request volumes and a backlog. Due to several short-term measures implemented in the plan, including significant use of overtime, the plan exceeded expectations to reduce the carry-forward inventory and the deemed refusal volume. Although the measures taken were effective in achieving the directorate’s short and intermediate goals, it was determined that this was not an appropriate long-term solution.

In 2018–2019, the Access to Information and Privacy Directorate’s senior management team developed a renewed inventory reduction plan: the ATIP Way Forward workload management plan. The plan is designed to build foundational capacity and sustainable, long-term solutions. The proposed solutions include:

  • expediting staffing
  • addressing the backlog
  • addressing complaints
  • establishing a data analytics team (this will include improved reporting to offices of primary interest)
  • addressing technological challenges
  • reviewing and implementing changes to the organizational structure of the Access to Information and Privacy Directorate, including the establishment of a centre of expertise and centralization of the front end

A project manager will lead the implementation of the plan starting at the beginning of fiscal year 2019–2020.

Staffing

In 2018–2019, the Access to Information and Privacy Directorate undertook many actions to manage the growing access to information and privacy workload including:

  • researching innovative recruitment solutions
  • recruiting for multiple positions
  • launching 5 selection processes
  • addressing acting positions
  • providing developmental opportunities

Enhancement of the Privacy Management Program

In 2017–2018, the CRA commissioned a review of the way in which it manages privacy at the enterprise-wide level. This included a review of governance, policy instruments, guidance, tools, oversight, monitoring, training and communication.

The review concluded that the CRA has a strong culture around security and the protection of personal information. The review also identified areas in which improvements could be made to adapt to the changing privacy landscape.

The review’s resulting recommendations were based on Privacy by Design principles, where privacy is systemically embedded into business practices and systems. The recommendations specifically focused on:

  • raising the visibility of privacy management
  • driving collaboration between the Chief Privacy Officer and other CRA executives
  • improving governance and controls
  • reviewing organizational structure and required expertise
These recommendations, once implemented, will strengthen the CRA’s overall privacy management program and position the CRA as a leader in sound privacy management. In 2018–2019, extensive consultations were carried out to recruit a consulting firm to assist the CRA in implementing the recommendations. The contract was awarded in March of 2019, with the plan to implement the recommendations in 2019–2020.

Modernization of the Access to Information Act and the Privacy Act

Extensive work has taken place across the CRA in preparation for the royal assent of Bill C‑58: An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts. Although the primary focus of the bill is on the Access to Information Act, it does include related amendments to the Privacy Act.

Since the bill’s first reading in June of 2017, the CRA has held many internal briefings to ensure readiness. Leads have also been identified for each of the proactive publication requirements and collaboration has been ongoing with the CRA’s communications, language services, publishing, and legal services areas.

One of the more significant impacts of the bill on the CRA will be the requirement to post briefing note titles and tracking numbers on Canada.ca on a monthly basis. During the fiscal year, the CRA changed its processes to increase efficiency. One change was the adoption of the Treasury Board of Canada Secretariat’s routing slip so that sensitivities in the release of the titles can be identified. Training sessions were hosted across the CRA to support the smooth transition to the use of the routing slip. The revised routing slip was launched during the fiscal year.

The CRA continues to work closely with various stakeholders on the Government of Canada’s commitment to modernize the acts.

Informal disclosure

On an ongoing basis, the CRA explores ways to get information to clients in the fastest and most efficient way. One of these ways is informal disclosure. Informal disclosure is when information is provided without the need to make a request under the Access to Information Act or the Privacy Act. Examples of information provided informally are copies of tax slips and CRA policies and manuals. The Access to Information and Privacy Directorate receives a significant number of Privacy Act requests, referred to as “fast-track requests”, which could potentially be redirected to informal channels. During the fiscal year, the Access to Information and Privacy Directorate prepared extensive material in preparation for a meeting with the Office of the Privacy Commissioner of Canada, along with other government departments, to discuss ways to improve informal disclosure across government. The meeting is scheduled for the beginning of fiscal year
2019–2020.

The Directive for the Disclosure of Taxpayer and Other Information outlines the accountabilities of CRA officials for informal and formal disclosures. To supplement the directive, in 2018–2019, the CRA launched an informal disclosure course. The course is targeted to subject-matter experts who need a comprehensive understanding of the disclosure of protected information to taxpayers under program legislation. Additionally, an informal disclosure page was launched on the CRA’s intranet site; this page provides guidance and resources in support of expanded informal disclosure.

Training and awareness

Training

The Access to Information and Privacy Directorate is committed to promoting and providing access to information and privacy training to CRA employees. This training varies, depending on the needs of the employee. For instance, employees who have little or no knowledge of the subject are encouraged to take the ATIP Fundamentals course or the Access to Information in the Government of Canada course offered by the Canada School of Public Service. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations in response to requests. During the fiscal year, training was also given on Bill C-58 requirements.

The CRA’s Legal Services Branch provides specialized training on the Access to Information Act and the Privacy Act to advise CRA staff on how to prepare documents for release in CRA reading rooms, on informal disclosure and on the legal interpretation of the Access to Information Act and the Privacy Act for specialized CRA staff such as auditors.

In 2018–2019, more than 2,700 CRA employees across Canada participated in instructor‑led and online training. In total, this fiscal year:

  • 1,537 employees participated in 58 training sessions given by the CRA
  • 1,048 employees took the Canada School of Public Service ATIP Fundamentals online course
  • 46 employees attended the Canada School of Public Service Access to Information in the Government of Canada in-class course
  • 82 employees participated in specialized training given by the Legal Services Branch

The number of employees that attended online training is likely much higher than indicated above, because online training sessions are frequently attended by large groups of employees under 1 registration.

In 2017–2018, the CRA launched the first of a suite of 10 web-based modules that offer specialized technical training for access to information and privacy employees. In 2018–2019, the remaining 9 modules were launched. This series of modules is the first of its kind for access to information and privacy professionals in the Government of Canada.

In a continued effort to promote informal disclosure across the CRA, an informal disclosure page was published on the CRA’s intranet. The page provides detailed guidance and links to information on informal disclosure. 

Raising awareness

In 2018–2019, beyond the work completed by the CRA to enhance its privacy management program, the Access to Information and Privacy Directorate worked on many projects to enhance employees’ awareness of their privacy-related roles and responsibilities.

For the eighth consecutive year, the CRA joined the Office of the Privacy Commissioner of Canada and many other institutions internationally to promote Data Privacy Day. On that day, individuals are informed about the impact that technology has on privacy rights and the importance of valuing and protecting personal information.

The directorate also raised awareness about access to information and privacy and the role they play in supporting sound privacy management, through multiple committee meetings and in regular communication with CRA employees, including access to information and privacy contacts, and employees in the offices of primary interest who have been identified to liaise with the Access to Information and Privacy Directorate. 

Policies, guidelines and procedures

The Access to Information and Privacy Directorate dedicated significant time in 2018–2019 to the review of CRA corporate documents, including policy instruments, to make sure that the role of the CRA’s Chief Privacy Officer and privacy implications were considered.

Furthermore, the CRA continues to provide feedback to the Treasury Board of Canada Secretariat on draft corporate policy instruments and promote compliance once those policy instruments are implemented.

Changes to the CRA's privacy policy instruments are expected in 2019–2020, as a result of the implementation of the recommendations to revise its privacy management program. 

Directive on Personal Information Requests and Correction of Personal Information

The Directive on Personal Information Requests and Correction of Personal Information came into effect on
October 1, 2018. As per the directive, all government institutions are required to provide a written explanation to a requester when their Privacy Act request is expected to take more than 30 days to fulfill.

This new policy requirement delivers on the Government of Canada’s Budget 2016 commitment that when a request made under the Privacy Act takes longer than 30 days to fulfill, the Government will provide a written notification of the delay to the requester.

To ensure readiness for this new directive, the Access to Information and Privacy Directorate:

  • provided briefings to senior management and employees
  • made changes to the procedures manual and tracking system
  • incorporated monitoring of compliance with the directive into the internal monitoring and reporting process 

Internal procedures manual

During the reporting period, the Access to Information and Privacy Directorate completed an updated version of its internal procedures manual. This version is the second update to the manual since 2016 and serves as a guide for all major procedures related to access to information and privacy. The purpose of the manual is to promote consistent practices across the directorate when administering the Access to Information Act and the Privacy Act. The manual serves as a main resource tool for the directorate and it reduces the time needed to train new employees. In 2019–2020, the directorate will explore the feasibility of developing an online version of the manual.

Info Source update

During the reporting period, the CRA completed a review of its Info Source chapter. Info Source provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. Info Source also provides guidance to individuals on how to access information held by government institutions to exercise their rights under these acts.

Each institution subject to the Access to Information Act and the Privacy Act must update its Info Source chapter annually by the due date set by the Treasury Board of Canada Secretariat. In accordance with this requirement, in June of 2018, the CRA updated 15 personal information banks and 10 classes of records. In addition, the list of reading room manuals was reviewed and updated.

The CRA's Info Source chapter can be found here: canada.ca/cra-info-source.

Monitoring

The Access to Information and Privacy Directorate produces a monthly report that captures key statistical information about the CRA’s inventory of access to information and privacy requests. The report monitors active and completed requests, including pages received and processed, the carry-forward inventory, the complexity levels and deemed refusal volumes. Management regularly uses the report to monitor trends, measure the directorate’s performance and identify any process changes needed to improve performance. The report is presented monthly to senior management at the Commissioner‑chaired Agency Management Committee.

To make sure the CRA is in full compliance with the Directive on Personal Information Requests and Correction of Personal Information, regular monitoring and reporting began during the reporting period and will continue in
2019–2020.

In addition to the monitoring and reporting mechanisms in place, more extensive data analytics is required for the access to information and privacy program at the CRA. The Access to Information and Privacy Directorate’s access to information and privacy database, which is used for monitoring and reporting, is primarily designed for workload management. Improving data analytics capabilities will require upgrades to the database, tools and employee skillsets.

Through the successful submission of a business case during the fiscal year to buy SAS data analytics software, in fiscal 2019–2020, a data analytics team will: 

  • identify and measure the trends that are causing access to information and privacy volumes to increase
  • analyze workload to identify process flow problems and evaluate the effectiveness of solutions
  • identify and measure trends related to privacy compliance
  • produce comprehensive reports to support business decisions and ultimately improve processes and privacy management

The establishment of the data analytics team will be done in 2 phases. Phase 1 started in 2018–2019 when the Service, Innovation and Integration Branch dedicated a team to review and evaluate the data in the Access to Information and Privacy Directorate’s tracking system. The branch assigned a data scientist to the directorate to work with business experts to determine the best approach to improve data quality and enhance the directorate’s data analytics capabilities. The directorate hired a project officer during the fiscal year to support the reporting processes. 

Phase 2, which will be implemented in 2019–2020, will be dedicated to determining the appropriate strategy going forward, including identifying reporting requirements, acquiring data analytics tools, database cleanup and enhanced reporting.

Managing privacy breaches

One of the cornerstones of Canada’s tax system is the trust Canadians place in the CRA to safeguard their personal information. The CRA takes the risk of a privacy breach very seriously and keeps its controls and sanctions strong to prevent unauthorized access and disclosure. Despite the effectiveness of the many controls in place, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of the tax system.

This year, the CRA’s Security and Internal Affairs Directorate informed the Access to Information and Privacy Directorate of 103 incidents of alleged or confirmed improper access, collection, use and disclosure of personal information by the CRA. Additionally, the Access to Information and Privacy Directorate received 44 privacy related complaints and allegations from the Office of the Privacy Commissioner of Canada and/or individuals.

In 2018–2019, the majority of privacy breaches at the CRA resulted from misdirected mail. Misdirected mail is taxpayer information that has been incorrectly addressed or directed to the wrong person and is reported to the CRA as misdirected. Misdirected mail incidents represent 0.003% of the 110 million pieces of mail handled annually by the CRA.

The CRA follows the Treasury Board of Canada Secretariat’s guidelines to determine which privacy breaches meet the threshold for notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2018–2019, the CRA reported 6 material privacy breaches to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Of these, 5 involved unauthorized access to taxpayer information by a CRA employee and 1 involved the unauthorized disclosure of taxpayer information.

The CRA continues to improve and evolve internal processes and systems to further protect taxpayer information. These controls include monitoring employee access to taxpayer information, limiting employees’ access permissions to only the information required to carry out their job and regularly reviewing employee access to CRA systems.

Privacy impact assessments

Canada Revenue Agency privacy impact assessment plan

The Canada Revenue Agency’s privacy impact assessment plan considers the key programs and activities of the CRA’s departmental results framework as outlined in the 2017–2019 Departmental Plan and assesses the associated privacy risks. The plan also considers the operational context outlined in the departmental plan, including the corporate risk profile that helps the CRA protect its integrity by identifying and putting plans in place to reduce risk exposure. All branches with ongoing privacy impact assessments are required to report on the progress of these assessments and corresponding action plans on a quarterly basis. The privacy impact assessment plan is evergreen and is amended as necessary to address any new priorities and activities that emerge during the planning cycle.

 

Since the implementation of the privacy impact assessment plan in 2014, the CRA has completed 49 assessments.

Summaries of completed privacy impact assessments

The CRA completed 12 privacy impact assessments during the 2018–2019 reporting period. In addition, a significant number of initiatives were reviewed to assess potential privacy impacts, which necessitated the review of documents such as privacy assessment determination questionnaires, threat and risk assessments, local application solutions and written collaborative arrangements.

In line with the Treasury Board of Canada Secretariat’s Directive on Privacy Impact Assessment, the CRA publishes summaries of completed privacy impact assessments on its website: canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.

The following is an overview of the summaries of the 12 privacy impact assessments completed and sent to the Office of the Privacy Commissioner of Canada and to the Treasury Board of Canada Secretariat for review in 2018–2019:  

Anonymous internal fraud and misuse reporting line v 2.0 

The Anonymous Internal Fraud and Misuse Reporting line provides individuals with an anonymous, confidential and secure communication channel to report suspicions of fraudulent activity engaged in by employees and/or management. The reporting line is administered by an independent third-party contractor.

The privacy impact assessment has been updated to include the ClearView Connects™ contract extension, administrative updates such as completion of the Statement of Sensitivity and Threat and Risk Assessment and the updated Records Disposition Authorities.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/anonymous-internal-fraud-misuse-reporting-line-v2.html.

Government of Canada Business Number Adoption: Web Validation Service v 2.0

In October 2013, the Deputy Minister of Service and Federating Identity endorsed the mandatory adoption of the business number by making it the common identifier for businesses throughout the Government of Canada. After being tasked by Innovation, Science and Economic Development Canada to develop the technical solution, the CRA established the Web Validation Service that provides federal government agencies and departments with the ability to adopt the business number as the common identifier.

The 2017 privacy impact assessment for this initiative has been updated to more accurately reflect current operating practices and incorporate the most current business number partner adopters.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/government-canada-business-number-adoption-web-validation-service-v2.html.

Collections Tax Programs

Collections Tax Programs is responsible for collecting outstanding debts for the Government of Canada, all the provinces (except Quebec) and the territories. The types of debts collected include income tax, payroll deductions, goods and services tax / harmonized sales tax, the air travellers security charge, the softwood lumber products export charge, benefit or rebate overpayments, and duties and levies on products manufactured or services used in Canada.

This privacy impact assessment was completed to make sure that personal information is used strictly for the administrative purpose of collecting tax and non-tax debts, to identify risks to personal information within the program and to establish a risk action plan where measures to mitigate the risk are not adequate.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/collections-tax-programs.html.

Contact Centre Operations v 2.0

Telephone enquiries call centres provide support to individuals (including benefit recipients), businesses and trusts, helping them to meet their tax obligations, become aware of benefit entitlements and receive answers to general or account-specific enquiries. Debt management call centres handle high-volume, low-complexity collections and compliance-related phone calls from across Canada.

Led by Shared Services Canada, the Government of Canada is replacing its aging contact centre infrastructure as part of the Contact Centre Transformation Initiative. This initiative will bring the contact centres of federal institution partners to the common, modernized, centrally managed, fully hosted, national Hosted Contact Centre Service platform. IBM Canada Ltd. has been contracted by Shared Services Canada to build the infrastructure that will support the Hosted Contact Centre Service. The CRA is modernizing its telephone enquiries and debt management call centres as part of this initiative in order to provide a higher standard of service to Canadians.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/contact-centre-operations-v2.html.

Employer Accounts Program

The Employer Accounts Program is responsible for making sure that all employers deduct the required Canada Pension Plan contributions, employment insurance premiums and income tax from their employees' salary and wages. It also makes sure that employers send those deductions, along with their own share, to the CRA and that the deductions are reported correctly on the appropriate form.

The privacy impact assessment was updated to reflect the new use of a system that will enable better tracking of correspondence received from employers through the national verification and collections centres across Canada.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/employer-accounts-program.html.

Employer Compliance Audit Program v 2.0

The Employer Compliance Audit Program is responsible for auditing employers’ books and records to ensure the proper reporting of employment income, taxable benefits and certain taxable benefits to shareholders, the withholding and sending of payroll-source deductions and the proper characterization of workers.

The privacy impact assessment was updated to reflect the new use of a system that will enable better tracking of the files. In addition, the program will start using risk assessment and research when selecting files.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/employer-compliance-audit-v2.html.

GST/HST Returns and Rebates Processing Program

This privacy impact assessment assesses the personal information used to administer and enforce the GST/HST Returns and Rebates Processing Program, including the processing, assessment, validation, reassessment and verification of GST/HST returns. This update addresses the following recent changes to the program:

  • collaborating with Revenu Québec, in response to Budget 2018 “Strengthening Digital Services,” to provide digital services to residents of Quebec that better compare to those available to the rest of Canada
  • collecting and storing the Internet protocol address used to file an electronic GST/HST rebate (tentative for October 2020)
  • offering an electronic GST/HST rebate filing option for individuals through My Account and Represent a Client for owner-built, new housing rebates

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/gst-hst-returns-rebates-processing-program.html.

Income Verification Services Program v 2.0

The Income Verification Services Program helps federal, provincial and territorial partners determine eligibility for income-tested programs for such things as drug cost assistance, housing, student loans and grants. The CRA promptly provides taxpayer information to these income-tested programs with the consent of the individual applicant. The proof of the applicant’s income is then sent electronically to the partner government organization, which is required to determine the applicant’s eligibility for assistance. This process allows for faster processing and reduces the wait time for applicants.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/income-verification-services-v2.html.

Individual Refund Set-off Program

The Individual Refund Set-off Program handles tax refunds and credit payable to individuals, which can be applied to debts those individuals owe to the Crown. Any federal, provincial or territorial department, agency or Crown corporation may participate in this program, subject to the CRA’s legislative and policy requirements.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/individual-refund-set-off-program.html.

Specialty Business Returns Program v 2.0

The Specialty Business Returns Program assesses returns, refunds and rebate applications and issues notices of assessment and reassessment for excise duties and taxes, other levies and charges, and customs duties and tariffs collected by the federal government. The program is also responsible for all activities related to the filing of partnership information returns. The privacy impact assessment was updated to include the processing of the fuel charge and cannabis returns.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/specialty-business-returns-program-v2.html.

Trust Accounts Examination Program v 2.0

The Trust Accounts Examination Program is responsible for examining employers' books and records to ensure proper deducting, sending and reporting of income tax (federal and provincial), goods and services tax / harmonized sales tax, Canada Pension Plan contributions, employment insurance premiums, employer-provided benefits and unreported income. The program is delivered in all tax services offices across Canada. In the province of Quebec, provincial tax and Canada Pension Plan contributions are not examined, since Revenu Québec administers its pension plan and income tax.

The Trust Accounts Examination Program is running a pilot project that explores the types of trust account examination files that could be worked on more efficiently within a tax services office without the need to travel to a taxpayer’s or authorized representative’s place of business. As part of the pilot project, employers and their representatives now have the option of sending documents to the CRA electronically.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/trust-accounts-examination-v2.html.

T3 Trust Returns Assessing Program v 2.0

The T3 Trust Returns Assessing Program includes the assessment and reassessment of trust income tax and information returns. The program checks whether amounts on a return and related schedules are supported by the required documents and verifies the accuracy of the calculations of the amounts reported on the documents. The information collected by this program is used to determine a trust’s tax payable, penalties, interest or refund and is reflected on a notice of assessment or reassessment.

The privacy impact assessment has been updated to reflect a new request from the Ministère des Finances du Québec to share with them the same data file that the CRA currently shares with Revenu Québec.

For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/t3-trust-returns-assessing-v2.html.

Collaboration with oversight bodies and other organizations

The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat and other organizations to strengthen privacy at the CRA. 

Office of the Privacy Commissioner of Canada

The CRA met with the Office of the Privacy Commissioner of Canada on various subjects throughout the fiscal year, including privacy breaches and specific privacy impact assessments. The follow-up on these privacy impact assessments involved multiple discussions, meetings and presentations given by the CRA to the Office of the Privacy Commissioner of Canada. 

Treasury Board of Canada Secretariat

The CRA strengthened its relationship with the Treasury Board of Canada Secretariat throughout the fiscal year by:  

  • collaborating on a community development initiative to develop a formal access to information and privacy network, to further meet the growing needs of access to information and privacy offices across the Public Service of Canada
  • participating in a panel discussion on privacy breaches
  • providing feedback on draft corporate policy instruments
  • consulting with the Information and Privacy Policy Division of the Treasury Board of Canada Secretariat on a wide-range of subjects, such as policy and legal interpretation
  • participating in access to information and privacy community meetings and in working groups on various privacy-related topics, including the modernization of the Privacy Act

Interpretation and explanation of Appendix A – Statistical report

Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the reporting period of April 1, 2018, to March 31, 2019. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.

Note
Some totals may be more than 100% due to rounding.

Part 1 – Requests under the Privacy Act

During the reporting period, the CRA received 4,789 new requests under the Privacy Act. This is an increase of 998 requests (26%) over last year’s total of 3,791 requests. Including the 512 requests carried forward from the 2017–2018 reporting period, the CRA had 5,301 active requests in its inventory.

The following table shows the number of requests the CRA received and completed under the Privacy Act, as well as the number of pages processed over the past 5 fiscal years. The number of requests received has nearly doubled from the 2014–2015 fiscal year. 

Fiscal year Requests received Requests completed Pages processed
2014–2015 2,533 2,313 636,207
2015–2016 3,048 2,723 476,832
2016–2017 3,174 3,400 1,086,917
2017–2018 3,791 3,821 920,251
2018–2019 4,789 4,599 896,837

Other requests and workload

Beyond the 4,789 requests received under the Privacy Act, the CRA processes a high volume of other requests. The additional volume significantly affects operations, since resources must be diverted to manage this workload. These additional requests include external and internal consultations, general enquiries, and complaints. For instance, the Program Support and Training Division of the Access to Information and Privacy Directorate responded to 4,123 emails and 972 phone enquiries received through the general enquiries mailbox and 1‑800 line. 

Part 2 – Requests closed during the reporting period

Disposition

For the second straight year, the CRA completed a record number of privacy requests. The disposition of the 4,599 requests completed is as follows: 

  • 1,994 were fully disclosed (43%)
  • 1,600 were disclosed in part (35%)
  • 3 were exempted in their entirety (0.1%)
  • 51 resulted in no existing records (1%)
  • 950 were abandoned by requesters (21%)
  • 1 was neither confirmed nor denied (0.02%)

 

778 (20%) more requests were completed in
2018–2019 than in
2017–2018.

The following chart shows the completion times for the 4,599 requests closed in 2018–2019.  

Image described below
Image description

Completion time

3,312 (72%) in 30 days or under

825 (18%) from 31 to 60 days

304 (7%) from 61 to 120 days

158 (3%) in 121 days or more

The Access to Information and Privacy Directorate completed 4,285 (93%) requests within the timelines required by law. This means that responses were provided within 30 calendar days or within an extended deadline.

For more details, see tables 2.5.1 and 2.5.2 of Appendix A.

Exemptions

The Privacy Act allows an institution to refuse access to specific information. For example, information about an individual other than the requester cannot be disclosed if the individual has not given his or her consent. Exemptions are applied by analysts to support non‑disclosure in these cases.

In 2018–2019, the CRA applied the following exemptions, in full or in part, for the 4,599 requests closed during the reporting period:

  • section 19 – Personal information obtained in confidence (19 times)
  • section 22 – Law enforcement and investigation (539 times)
  • section 25 – Safety of individuals (1 time)
  • section 26 – Information about another individual (1,301 times)
  • section 27 – Solicitor-client privilege (359 times)
  • section 28 – Physical or mental health of individuals (3 times)

Exclusions

The Privacy Act does not apply to information that is publicly available, such as in government publications and in libraries and museums. Also, the act does not apply to Cabinet confidences.

In 2018–2019, the CRA applied no exclusions for information that was publicly available or a Cabinet confidence. 

Format of information released

Requesters can choose to receive their response package in paper, CD or DVD format. Persons with disabilities may also request information in alternative formats, such as braille, although no such requests were received this fiscal year. Providing documents electronically significantly reduces manual processes and paper consumption.

 

In 2018–2019, of the 3,594 requests for which information was disclosed in full or in part, 2,492 requests (69%) were released in electronic format.

Complexity

  

In 2018–2019, the directorate processed an average of 195 pages per request.

The Treasury Board of Canada Secretariat uses 2 criteria to define complexity: the number of pages to process, and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests.

For example, to respond to the 4,599 requests closed during the fiscal year, the CRA processed 896,837 pages. Of the 4,548 requests for which records were disclosed, 1,091 (24%) involved processing more than 100 pages: 142 of these involved processing more than 1,000 pages and 12 involved processing more than 5,000 pages including 1 request that required the review of 52,363 pages. For more details, see table 2.5.2 of Appendix A.

Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see table 2.5.3 of Appendix A.

Deemed refusals

A deemed refusal is a request that was closed after the deadline of 30 calendar days or, if a time extension was taken, after the extended deadline.

Of the 4,599 requests closed during the reporting period, 314 were closed after the deadline, resulting in a deemed refusal rate of 7%.

The CRA consistently receives a high volume of requests, with many of them broad in scope. In addition, there are other priorities for the directorate, including responding to consultations. Despite this, the CRA completed more files this year than any time in history.

 

The deemed refusal rate has decreased from 9% in 2017–2018 to 7% this year.

Requests for translation

Records are normally released in the language in which they exist. However, records may be translated to an official language when requested and when the institution considers it in the public interest to do so.

There were no requests for translation received in 2018–2019.

Part 3 – Disclosures under subsection 8(2)

Subsection 8(2) of the Privacy Act provides that, subject to confidentiality provisions in other acts of Parliament, personal information may be disclosed without consent for limited and specific circumstances. For example, where the public interest in disclosure clearly outweighs any invasion of privacy.

During the reporting period, there was 1 disclosure of personal information under paragraph 8(2)(m) of the Privacy Act. As a result, the CRA notified the Privacy Commissioner of Canada in accordance with subsection 8(5) of the Privacy Act.

Part 4 – Requests for correction of personal information and notations

Under the Privacy Act, an individual may ask for any factual errors or omissions in their personal information to be corrected.

The CRA received 1 request to correct personal information during 2018–2019.

Part 5 – Extensions

The Privacy Act sets the required timelines for responding to privacy requests. Time extensions are allowed under the following circumstances:

  • meeting the original time limit would unreasonably interfere with operations
  • there is a need to consult (for example, with a government institution or third party)
  • there is a need to translate or convert records into another format

Of the 4,599 requests closed in 2018–2019, the CRA applied extensions for 1,069 (23%) of them. Extensions were applied 99% of the time because of workload and meeting the original 30-day time limit would have resulted in unreasonable interference with CRA operations. The remaining 1% of the time was for consulting with third parties or other government institutions, as well as converting records into other formats.

Part 6 – Consultations received from other institutions and organizations

In 2018–2019, the Access to Information and Privacy Directorate closed 3 external consultation requests from other government institutions and organizations. To respond to these requests, 86 pages were reviewed. For more details, including disposition and completion times, see part 6 of Appendix A.

 

Over the past 5 years, there has been a 48% increase in the number of internal consultations completed.

In 2018–2019, 341 internal privacy consultation requests were completed, a 4% increase over the previous reporting period. To respond to these requests, the directorate reviewed a total of 6,899 pages. These requests are informal reviews that comply with the CRA’s informal disclosure prerequisites and do not fall under the Privacy Act.

The following table shows the increase in internal privacy consultation requests received over the past 5 years.

Image described below
Image description

Internal Privacy Consultation Trends

In 2014-2015, 230 internal privacy consultation requests were received, 3,772 pages were processed.

In 2015-2016, 202 internal privacy consultation requests were received, 5,837 pages were processed.

In 2016-2017, 253 internal privacy consultation requests were received, 5,311 pages were processed.

In 2017-2018, 328 internal privacy consultation requests were received, 11,033 pages were processed.

In 2018-2019, 341 internal privacy consultation requests were received, 6,899 pages were processed.

Part 7 – Completion time of consultations on Cabinet confidences

Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), the policies of the Treasury Board of Canada Secretariat require agencies and departments to consult with their legal services office to determine if requested information should be excluded. If there is any doubt or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.

In 2018–2019, the CRA did not apply any exclusions for Cabinet confidences.

Part 8 – Complaints and investigation notices received

In 2018–2019, the CRA received 47 complaints under the Privacy Act and closed 21 complaints. This represents a 62% increase in the number of complaints received from the previous reporting period and a 19% decrease in the number of complaints completed.

No complaints were pursued to the Federal Court.

The following chart shows the disposition of the complaints closed during the fiscal year.

Image described below
Image description

Complaint dispositions

2 (9%) Discontinued

4 (19%) Early resolution

1 (5%) Not well-founded

1 (5%) Resolved

13 (62%) Well-founded

Part 9 – Privacy impact assessments

During the reporting period, the CRA sent 12 privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is given earlier in this report.

Part 10 – Resources related to the Privacy Act

Costs

During the fiscal year of 2018–2019, the Access to Information and Privacy Directorate’s direct cost to administer the Privacy Act was $6,723,710. This does not include significant support and resources from the branches and regions. For more details, see table 10.1 in Appendix A.

Human resources

In 2018–2019, an equivalent of 80.50 full-time employees were dedicated to administering the Privacy Act.

Conclusion

The CRA takes privacy and the safeguarding of personal information very seriously.

In 2018–2019, the CRA continued to make significant progress in addressing challenges by:

  • developing the ATIP Way Forward workload management plan
  • collaborating with partners across the CRA to make sure privacy implications were considered for new or revised initiatives that involved personal information
  • finalizing the review of the privacy management program and hiring a consulting firm to implement the recommendations
  • preparing for royal assent of Bill C-58
  • collaborating with the Treasury Board of Canada Secretariat and other federal agencies and departments to explore the feasibility of establishing an access to information and privacy community office

In 2019–2020, the CRA will continue its work to safeguard personal information and improve efficiencies in operations by implementing recommendations within the CRA’s revised privacy management program, implementing the ATIP Way Forward plan, submitting a business case to secure resources, continuing to work on the privacy impact assessment plan, and continuing to work closely with various stakeholders on the Government’s commitment to modernize the Privacy Act.

Appendix A – Statistical report

Statistical report on the Privacy Act

Name of institution: Canada Revenue Agency
Reporting period: April 1, 2018 to March 31, 2019

Part 1 – Requests under the Privacy Act

1.1    Number of requests

Requests Number of requests
Total 5,301
Received during reporting period 4,789
Outstanding from previous reporting period 512
Requests Number of requests
Total 5,301
Closed during reporting period 4,599
Carried over to next reporting period 702

Part 2 – Requests closed during the reporting period

2.1    Disposition and completion time

Disposition of
requests
1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total

All exempted

0

0

0

3

0

0

0

3

All excluded

0

0

0

0

0

0

0

0

No records exist

14

22

9

2

2

2

0

51

Request abandoned

863

39

32

5

1

3

7

950

Neither confirmed nor denied

0

1

0

0

0

0

0

1

Total

1,206

2,106

825

304

52

69

37

4,599

All disclosed

290

1,376

273

49

3

3

0

1,994

Disclosed in part

39

668

511

245

46

61

30

1,600

2.2    Exemptions

Section
Number of requests
18(2)
0
19(1)(a)
4
19(1)(b)
0
19(1)(c)
14
19(1)(d)
1
19(1)(e)
0
19(1)(f)
0
20
0
21
0
22(1)(a)(i)
9
22(1)(a)(ii)
5
22(1)(a)(iii)
0
22(1)(b)
529
22(1)(c)
0
22(2)
0
22.1
0
22.2
0
22.3
0
23(a)
0
23(b)
0
24(a)
0
24(b)
0
25
1
26
1,301
27
359
28
3

2.3    Exclusions

Section  
Number of requests
69(1)(a)
0
69(1)(b)
0
69.1
0
70(1)
0
70(1)(a)
0
70(1)(b)
0
70(1)(c)
0
70(1)(d)
0
70(1)(e)
0
70(1)(f)
0
70.1
0

2.4    Format of information released

Disposition Paper Electronic Other formats

Total

1,102

2,492

0

All disclosed

839

1,155

0

Disclosed in part

263

1,337

0

2.5    Complexity

2.5.1    Relevant pages processed and disclosed

Disposition of requests Number of pages processed Number of pages disclosed Number of requests

All exempted

670

0

3

All excluded

0

0

0

Request abandoned

15,075

12,162

950

Neither confirmed nor denied

0

0

1

Total

896,837

735,414

4,548

All disclosed

76,208

76,208

1,994

Disclosed in part

804,884

647,044

1,600

2.5.2    Relevant pages processed and disclosed by size of request

Less than 100 pages processed

Disposition of requests Number of requests Pages disclosed

All exempted

3

0

All excluded

0

0

Request abandoned

945

85

Neither confirmed nor denied

1

0

Total

3,457

87,368

All disclosed

1,878

57,022

Disclosed in part

630

30,261

101 - 500 pages processed

Disposition of requests Number of requests Pages disclosed

All exempted

0

0

All excluded

0

0

Request abandoned

1

101

Neither confirmed nor denied

0

0

Total

752

161,233

All disclosed

113

17,328

Disclosed in part

638

143,804

501 - 1000 pages processed

Disposition of requests Number of requests Pages disclosed

All exempted

0

0

All excluded

0

0

Request abandoned

1

505

Neither confirmed nor denied

0

0

Total

185

129,360

All disclosed

3

1,858

Disclosed in part

181

126,997

1001 - 5000 pages processed

Disposition of requests Number of requests Pages disclosed

All exempted

0

0

All excluded

0

0

Request abandoned

2

5,635

Neither confirmed nor denied

0

0

Total

142

238,442

All disclosed

0

0

Disclosed in part

140

232,807

More than 5000 pages processed

Disposition of requests Number of requests Pages disclosed

All exempted

0

0

All excluded

0

0

Request abandoned

1

5,836

Neither confirmed nor denied

0

0

Total

12

119,011

All disclosed

0

0

Disclosed in part

11

113,175

2.5.3    Other complexities

Disposition of requests Consultation required Legal advice sought Interwoven information Other Total

All exempted

0

2

0

0

2

All excluded

0

0

0

0

0

Request abandoned

1

8

9

23

41

Neither confirmed nor denied

0

0

0

0

0

Total

6

15

17

33

71

All disclosed

0

5

2

3

10

Disclosed in part

5

0

6

7

18

2.6    Deemed refusals

2.6.1    Reasons for not meeting statutory deadline

Number of requests
closed past the
statutory deadline
Principal reason - 
Workload
Principal reason -
External consultation
Principal reason -
Internal consultation
Principal reason -
Other

314

288

5

5

16

2.6.2    Number of days past deadline

Number of days past deadline Number of requests past deadline where no extension was taken Number of requests past deadline where an extension was taken Total

31 to 60

18

35

53

61 to 120

36

29

65

121 to 180

12

26

38

181 to 365

15

30

45

More than 365

19

12

31

Total

126

188

314

1 to 15

13

39

52

16 to 30

13

17

30

2.7    Requests for translation

Translation requests Accepted Refused Total
Total 0 0 0
English to French 0 0 0
French to English 0 0 0

Part 3 – Disclosures under subsections 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 1 1 2

Part 4 – Requests for correction of personal information and notations

Disposition for correction requests received Number
Total 1
Notations attached 1
Requests for correction accepted 0

Part 5 – Extensions

5.1    Reasons for extensions and disposition of requests

Disposition of requests 15(a)(i) Interference with operations 15(a)(ii) consultation - Section 70 15(a)(ii) consultation - Other 15(b) translation or conversion

All exempt

0

0

0

0

All excluded

0

0

0

0

No records exist

15

0

0

0

Request abandoned

28

0

0

0

Total

1,061

0

2

6

All disclosed

260

0

0

0

Disclosed in part

758

0

2

6

5.2    Length of extensions

Length of extensions 15(a)(i) Interference with operations 15(a)(ii) consultation - Section 70 15(a)(ii) consultation - Other 15(b) Translation or conversion
Total

1,061

0

2

6

1 to 15 days

4

0

0

0

16 to 30 days

1,057

0

2

6

Part 6 – Consultations received from other institutions and organizations

6.1    Consultations received from other government institutions and organizations

Consultations
 
Other government
institutions
Number of
pages to review
Other
organizations
Number of
pages to review

Total

3

86

0

0

Received during the reporting period

2

39

0

0

Outstanding from the previous reporting period

1

47

0

0

Consultations
 
Other government
institutions
Number of
pages to review
Other
organizations
Number of
pages to review

Total

3

86

0

0

Closed during the reporting period

3

86

0

0

Pending at the end of the reporting period

0

0

0

0

6.2    Recommendations and completion time for consultations received from other Government institutions

Recommendations Completion time -
1 to 15
days
Completion time -
16 to 30
days
Completion time -
31 to 60
days
Completion time -
61 to 120
days 
Completion time -
121 to 180
days
Completion time -
181 to 365
days  
Completion time -
More than
365 days
Total

Exempt entirely

0

0

0

0

0

0

0

0

Exclude entirely

0

0

0

0

0

0

0

0

Consult other institution

0

0

0

0

0

0

0

0

Other

0

0

0

0

0

0

0

0

Total

0

3

0

0

0

0

0

3

Disclose entirely

0

1

0

0

0

0

0

1

Disclose in part

0

2

0

0

0

0

0

2

6.3    Recommendations and completion time for consultations received from other organizations

Recommendation Completion time -
1 to 15
days
Completion time - 
16 to 30
days
Completion time -
31 to 60
days
Completion time -
61 to 120
days
Completion time -
121 to 180
days
Completion time -
181 to 365
days
Completion time - More than
365 days
Total
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other organization 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0

Part 7 – Completion time of consultations on Cabinet confidences

7.1    Requests with Legal Services

Number
of
days
Less than 100 pages processed - Number of requests Less than 100 pages processed - Pages disclosed 101 - 500 pages
processed - Number of requests
101 - 500 pages
processed - Pages disclosed
501 - 1000 pages
processed - Number of requests
501 - 1000 pages
processed - Pages
disclosed
1001 - 5000 pages
processed - Number of requests
1001 - 5000 pages
processed - Pages
disclosed
More than 5000 pages
processed - Number of requests
More than 5000 pages
processed - Pages
disclosed
61 to 120 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0

7.2    Requests with Privy Council Office

Number
of
days
Less than 100
pages processed - Number of requests
Less than 100
pages processed - Pages
disclosed
101 - 500 pages
processed - Number of requests
101 - 500 pages
processed - Pages disclosed
501 -  1000 pages
processed - Number of requests
501 -  1000 pages
processed - Pages disclosed
1001 - 5000 pages
processed - Number of requests
1001 - 5000 pages
processed - Pages disclosed
More than 5000
pages processed - Number of requests
More than 5000
pages processed - Pages
disclosed
31 to 60 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0
1 to 15 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0

Part 8 – Complaints and investigations notices received

Section 31 Section 33 Section 35 Court action Total
47 0 21 0 68

Part 9 – Privacy impact assessments (PIAs)

Number of PIA(s) completed 12

Part 10 – Resources related to the Privacy Act

10.1    Costs

Expenditures Amounts
  • Goods and Services - Professional services contracts

$350,490

  • Goods and Services - Other 
$341,403
Total $6,723,710
Salaries $5,796,583
Overtime $235,234
Goods and Services - Total $691,893

10.2    Human resources

Resources Person years dedicated to privacy activities
Regional staff 0.00
Consultants and agency personnel 2.00
Students 1.50
Total 80.50
Full-time employees 77.00
Part-time and casual employees 0.00

Appendix B – New reporting requirement

Statistical report on the Privacy Act

Name of institution: Canada Revenue Agency
Reporting period: April 1, 2018 to March 31, 2019

In 2018–2019, the Treasury Board of Canada Secretariat included a new requirement to report on the following exemptions.

Section
Number of requests
22.4 National Security and Intelligence Committee
0
27.1 Patent or Trademark privilege
0
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: